CVE-2026-40912

HighPublic PoC

Published: 30 April 2026

Published

30 April 2026

Modified

01 May 2026

KEV Added

—

Patch

—

CVSS Score 8.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

EPSS Score 0.0007 20.9th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-40912 is a high-severity Use of Incorrectly-Resolved Name or Reference (CWE-706) vulnerability in Traefik Traefik. Its CVSS base score is 8.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 20.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Requires timely identification, reporting, and remediation of software flaws like the StripPrefixRegex authentication bypass in vulnerable Traefik versions, preventing exploitation via patching.

SI-10 Information Input Validation good match

prevent

Mandates validation of URL path inputs in the reverse proxy to detect and reject dot-segment evasions (e.g., /./admin/secret) before forwarding to authentication middlewares.

SC-7 Boundary Protection partial match

preventdetect

Controls communications at system boundaries through properly configured proxies or WAFs that enforce consistent URL path normalization and matching to block crafted requests evading ForwardAuth.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

The vulnerability is an authentication bypass in the public-facing Traefik reverse proxy/load balancer, directly enabling remote exploitation of a public-facing application by unauthenticated attackers crafting malicious requests to access protected resources.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Traefik is an HTTP reverse proxy and load balancer. Prior to versions 2.11.43, 3.6.14, and 3.7.0-rc.2, there is a high severity authentication bypass vulnerability in Traefik's StripPrefixRegex middleware when used in combination with ForwardAuth, BasicAuth, or DigestAuth. The middleware matches…

the regex against the decoded URL path but uses the resulting byte length to slice the percent-encoded raw path. When a dot (or multiple dots) appears in the prefix portion of the URL, the raw path after stripping becomes a dot-segment (e.g. /./admin/secret). ForwardAuth receives this dot-segment path in X-Forwarded-Uri, which does not match the protected path patterns and therefore allows the request through. The backend then normalizes the dot-segment to the real path per RFC 3986 and serves the protected content An unauthenticated attacker can exploit this against any backend that performs dot-segment normalization. This issue has been patched in versions 2.11.43, 3.6.14, and 3.7.0-rc.2.

Deeper analysisAI

CVE-2026-40912 is a high-severity authentication bypass vulnerability (CVSS 3.1 score of 8.2) affecting Traefik, an HTTP reverse proxy and load balancer. The issue resides in the StripPrefixRegex middleware when combined with ForwardAuth, BasicAuth, or DigestAuth, impacting versions prior to 2.11.43, 3.6.14, and 3.7.0-rc.2. Specifically, the middleware applies regex matching against the decoded URL path but uses the resulting byte length to slice the percent-encoded raw path. If a dot (or multiple dots) appears in the URL prefix, the stripped raw path becomes a dot-segment (e.g., /./admin/secret) per RFC 3986, which evades protection mechanisms.

An unauthenticated network attacker (AV:N/AC:L/PR:N) can exploit this by crafting a request with dots in the prefix portion of a protected URL path. The dot-segment path is forwarded in the X-Forwarded-Uri header to ForwardAuth, which fails to match it against protected patterns, allowing the request to proceed. The backend then normalizes the dot-segment to the actual protected path, resulting in unauthorized access to sensitive content (C:H/I:L/A:N). This works against any backend performing dot-segment normalization as defined in RFC 3986.

Traefik has addressed the vulnerability in patched releases: version 2.11.43, 3.6.14, and 3.7.0-rc.2. Security practitioners should upgrade immediately to these versions, as detailed in the official GitHub release notes and security advisory (GHSA-6jwx-7vp4-9847). The issue is linked to CWE-706 (Use of Incorrectly-Resolved Name Into a Reference Chain).

Details

CWE(s): CWE-706

Affected Products

traefik

3.7.0 · ≤ 2.11.43 · 3.0.0 — 3.6.14

CVEs Like This One

CVE-2025-54386Same product: Traefik Traefik

CVE-2026-35051Same product: Traefik Traefik

CVE-2026-32695Same product: Traefik Traefik

CVE-2026-39858Same product: Traefik Traefik

CVE-2026-29054Same product: Traefik Traefik

CVE-2026-33433Same product: Traefik Traefik

CVE-2026-26999Same product: Traefik Traefik

CVE-2026-25949Same product: Traefik Traefik

CVE-2026-22045Same product: Traefik Traefik

CVE-2024-57785Shared CWE-706

References

https://github.com/traefik/traefik/releases/tag/v2.11.43
Product, Release Notes · security-advisories@github.com
https://github.com/traefik/traefik/releases/tag/v3.6.14
Product, Release Notes · security-advisories@github.com
https://github.com/traefik/traefik/releases/tag/v3.7.0-rc.2
Product, Release Notes · security-advisories@github.com
https://github.com/traefik/traefik/security/advisories/GHSA-6jwx-7vp4-9847
Exploit, Patch, Vendor Advisory · security-advisories@github.com